Back in March we have asked our users to provide feedback via our first ever
user survey. Many of you have responded
and the results are in!

The survey was announced on our Slack channel and on Twitter. Participation was
anonymous and did not require to leave behind contact information. Most
questions had a set of predefined answers plus a field to add additional
answers. All questions were optional.

We are excited to announce the Cilium 1.5 release. Cilium 1.5 is the first
release where we primarily focused on scalability with respect to number of
nodes, pods and services. Our goal was to scale to 5k nodes, 20k pods and 10k
services. We went well past that goal with the 1.5 release and are now
officially supporting 5k nodes, 100k pods and 20k services. Along the way, we
learned a lot, some expected, some unexpected, this blog post will dive into
what we learned and how we improved.

Besides scalability, several significant features made its way into the release
including: BPF templating, rolling updates for transparent encryption keys,
transparent encryption for direct-routing, a new improved BPF based service
load-balancer with improved fairness, BPF based masquerading/SNAT support,
Istio 1.1.3 integration, policy calculation optimizations as well as several
new Prometheus metrics to assist in operations and monitoring. For the
full list of changes, see the 1.5 Release Notes.

We are excited to announce the Cilium 1.4 release. The release introduces
several new features as well as optimization and scalability work. The
highlights include the addition of global services to provide Kubernetes
service routing across multiple clusters, DNS request/response aware
authorization and visibility, transparent encryption (beta), IPVLAN support for
better performance and latency (beta), integration with Flannel, GKE on COS
support, AWS metadata based policy enforcement (alpha) as well as significant
efforts into optimizing memory and CPU usage.

As we all enjoy a wonderful week at KubeCon 2018 US, we want to provide a
preview into the upcoming Cilium 1.4 release. We are days away from 1.4.0-rc1
which will allow for community testing of a lot new exciting functionality.
Some of the highlights:

Multi-Cluster service routing using standard Kubernetes services.

DNS Authorization with DNS request/response aware security policy enforcement
to restrict the DNS names a pod can lookup as well as limit the egress
connectivity to the IPs returned in the DNS response of that particular pod.

Transparent encryption and authentication for all service to service
communication using X.509 certificates.

As always, we love hearing from you, so stop by our KubeCon booth and chat with
us and other Cilium users.

First of all, huge shout-out to Alexis
Ducastel for putting together a great CNI
benchmark comparison. To be honest, there was definitely a moment of panic when
we saw the article pop up. Did we just miss a major performance regression?

This blog post documents the investigation we have done so far of what looked
like a performance regression of HTTP/FTP traffic over pure TCP.

Alexis was super quick to share the
scripts that he used to
collect the benchmarks numbers. This not only allowed for a quick verification
but also allows us to integrate this into our CI tests and run it alongside of
the existing benchmarks for better coverage.

The same conference also featured many other BPF related talks which we will
cover in follow-up blog posts. In particular interesting will be Nikita V.
Shirokov's (Facebook) talk XDP: 1.5 years in production. Evolution and
lessons
learned
where Nikita shows the impressive difference between IPVS and BPF under heavy
load as well as Vlad Dumitrescu from Google talking about Scaling Linux
Traffic Shaping with
BPF where
Vlad and others share their experience deploying BPF to production solving
scalable traffic shaping.